Instinct Digital - Simplify The Complex World of Financial Reporting
InstinctInstinct
Request demo
Instinct logo

Any questions?

+44 0207 289 4888Request demo

Security

Contents

1. IT and SECURITY OVERVIEW

We believe the security of your information is a serious issue and we are committed to protecting the information we receive from you. We use a range of security measures to protect against the loss, misuse, and alteration of your information under our control based on the type of Personal Data and applicable processing activity. These security measures include data encryption in transit, data encryption at rest and enforcement of least privilege and need-to-know principles.

Instinct follows and adopts, where applicable, industry-best practice and market-leading security tools to protect customer and business data. Our experienced IT Operations and Security team manage all areas of data, network, system and application security, including 24x7 monitoring and alerting.

Here are just some of the industry best practice security measures we employ in all of our environments:

Cloud hosted environment

We deliver products and services to our clients via a global third-party cloud platform accredited with industry-recognised certifications, including FedRAMP, ISO, SOC, PCI, and more. The cloud platform is also compliant with numerous regulations, privacy standards, and frameworks, including HIPAA, HITECH, GLBA, the EU Data Protection Directive, EU-US Privacy Shield, FISMA.

The cloud hosting provider (Amazon Web Services) has been selected to ensure that we can host and deliver services in whichever region our clients require and comply with any data transmission restrictions and storage restrictions.

As part of our on-going commitment to our clients we monitor changes in legislation and adapt our delivery mechanisms appropriately in collaboration with our clients.

Encrypted transmission

All browser connections and communications are transmitted over SSL (TLS), ensuring data privacy and integrity of data transit. Our servers only permit and support 128- or 256-bit cypher suites over TLS 1.2 or higher, protecting against unauthorised disclosure, modification, and replay attacks.

Encryption of authentication and session data

All authentication and session data are encrypted with AES-256, ensuring your account credentials and sessions remain protected and unreadable in a stored state.

Encrypted transmission

All authentication and session data are encrypted with AES-256, ensuring your account credentials and sessions remain protected and unreadable in a stored state.

Penetration testing and red-team assessment

Our client environments undergo rigorous, annual third-party penetration testing and red-team assessment to replicate the most malicious modern hacking attacks to ensure our infrastructure can proactively identify and repel penetration attacks.

Web application firewall

Every client environment is protected with an enhanced web application firewall capable of detecting and blocking advanced payloads and attacks.

Distributed denial of service (ddos) protection

Our cloud-based DDoS protection automatically detects and mitigates all types of layer 3, 4, and 7 attacks on our network.

Intrusion detection and prevention

Instinct's client environments are equipped with the latest in network security monitoring and prevention tools. All tools are specifically designed to detect and prevent malicious attacks against our clients and our services.

Dedicated web, app, and database tier

Dedicated single-tenant presentation, application, and database tiers provide complete isolation of customer data flow from browser to database.

2. ORGANISATIONAL SECURITY

Instinct has established an industry-leading security program dedicated to ensuring customers have the highest confidence in our handling of their data and information. Our security program is aligned to the ISO 27001 standards and is regularly audited and assessed by third parties and customers.

2.1 Personnel security

Instinct's personnel practices apply to all members of the Instinct workforce (“workers”)—regular employees and independent contractors—who have direct access to Instinct's internal information systems (“systems”) and / or unescorted access to Instinct's office space. All workers are required to understand and follow internal policies and standards.

Before gaining access to systems, all workers must agree to confidentiality terms, pass a background screening, and attend security training. This training covers privacy and security topics, including device security, acceptable use, preventing malware, physical security, data privacy, account management, and incident reporting.

Upon termination of work at Instinct, access to Instinct systems is immediately removed.

2.2 Security and privacy training

During their tenure, all workers are required to complete a refresh of privacy and security training at least annually. Instinct staff are also required at least annually to acknowledge that they've read and will follow Instinct's information security policies. Some workers, such as engineers, operators and support personnel who may have elevated access to systems or data, will receive additional job-specific training on privacy and security. Workers are required to report security and privacy issues to appropriate internal personnel.

2.3 Dedicated security professionals

Instinct has defined roles and responsibilities to delineate which roles in the organisation are responsible for operating our Information Security Management System (ISMS). This team comprises members of Instinct IT and Security Operations Team, focusing on Product Security, Security Operations, Computer Security Incident Response, and Risk and Compliance.

Together, this team divides responsibilities for key aspects of Instinct's security program, as follows:

Product Security

  • Establish secure development practices and standards
  • Ensure project-level security risk assessments
  • Provide design review and code review security services for detection and removal of common security flaws
  • Train developers on secure coding practices

Security Operations

  • Build and operate security-critical, infrastructure including Instinct's public key infrastructure, event monitoring, and authentication services
  • Maintain a secure archive of security-relevant logs
  • Consult with operations personnel to ensure the secure configuration and maintenance of Instinct's production environment

CSIRT (Computer Security Incident Response Team)

  • Respond to alerts related to security events on Instinct systems
  • Manage security incidents
  • Acquire and analyse threat intelligence

Risk and Compliance

  • Coordinate penetration testing
  • Manage vulnerability scanning and remediation
  • Coordinate regular risk assessments, and define and track risk treatment
  • Manage the security awareness program
  • Coordinate audit and maintain security certifications
  • Respond to customer inquiries
  • Review and qualify vendor security posture

2.4 POLICIES and STANDARDS

Instinct maintains a set of policies, standards, procedures and guidelines (“security documents”) that provide the Instinct workforce with the guidance and rules for operating Instinct's ISMS. Our security documents help ensure that Instinct customers can rely on our workers to behave ethically and for our service to operate securely. Security documents include, but are not limited to:

  • Fair, ethical, and legal standards of business conduct
  • Acceptable uses of information systems
  • Classification, labelling, and handling rules for all types of information assets
  • Practices for worker identification, authentication, and authorisation for access to system data
  • Secure development, acquisition, configuration, and maintenance of systems
  • Workforce requirements for transitions, training, and compliance with ISMS policies
  • Use of encryption
  • Description, schedule, and requirements for retention of security records
  • Planning for business continuity and disaster recovery
  • Classification and management of security incidents
  • Control of changes
  • Regular use of security assessments such as risk assessments, audits, and penetration tests
  • Use of service organisations

These policies are living documents: they are regularly reviewed and updated as needed and made available to all workers to whom they apply.

2.5 AUDITS, COMPLIANCE and THIRD-PARTY ASSESSMENTS

Instinct operates a comprehensive information security program designed to address security standards. Please contact your Account Executive for more information about the security standards that Instinct complies with and to request copies of available reports and certifications.

Audits

Instinct evaluates the design and operation of its overall ISMS for compliance with internal and external standards. At least once per year, Instinct engages credentialed assessors to perform external audits. Audit results are shared with the Instinct senior management team and all findings are tracked to resolution.

Penetration testing

Instinct engages independent entities to conduct regular application-level and infrastructure-level penetration tests. Results of these tests are shared with Instinct's senior management team. The Instinct Security Team review and prioritise the reported findings and tracks any identified issues through to resolution. Customers wishing to conduct their own penetration test of Instinct's platform and associated solutions may request to do so and contact their Account Representative to obtain permission from Instinct.

Legal compliance

Instinct has access to legal and compliance professionals with extensive expertise in data privacy and security. These professionals' contributions are embedded in the development lifecycle and review of products and features for compliance with applicable legal and regulatory requirements. Instinct also has a business code of conduct that makes legal, ethical and socially responsible choices and actions fundamental to our values and defines standards for meeting those goals.

Data requests

Instinct receives requests from clients to disclose or delete data other than in the ordinary operation and provision of the Services. Our Data Request Policy addresses and details how Instinct handles requests of this nature and clearly outlines Instinct's policies and procedures for responding to such requests for customer data.

3. SECURITY BY DESIGN

3.1 Secure development lifecycle

Instinct assesses the security risk of each software development project according to our Secure Development Lifecycle. Before completion of the design phase, Instinct undertakes an assessment to qualify the security risk of the software changes introduced. This risk analysis leverages both the OWASP Top 10 and Instinct's Product Security experience leading to categorising every project as High, Medium, or Low risk. Based on this analysis, Instinct creates a set of requirements that must be met before the resulting change may be released to production. All code is checked into a version-controlled repository. Code changes are subject to peer review and continuous integration testing. For the Instinct web application, Instinct's Security lead(s) operates continuous automated static analysis using advanced tools and techniques. Significant defects identified by this process are reviewed and followed to resolution by the IT Operations and Security Team.

4. PROTECTING CUSTOMER DATA

The focus of Instinct's security program is to prevent unauthorised access to customer data. To this end, our team of dedicated security practitioners, working in partnership with peers across all our teams, take exhaustive steps to identify and mitigate risks, implement best practices, and constantly evaluate ways to improve how we protect customers' data.

4.1 Data encryption in transit and at rest

Instinct transmits data over public networks using strong encryption. This includes data transmitted between Instinct clients and the Instinct services. Instinct supports the latest recommended secure cypher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 signatures, as supported by the clients. Instinct monitors the changing cryptographic landscape and at Instinct's discretion, upgrades the cipher suite choices as the landscape changes while also balancing the need for compatibility with older clients.

4.2 Network security

Instinct divides its systems into separate networks to better protect client sensitive data and content. Systems supporting testing and development activities are hosted in a separate network from systems supporting Instinct's staging and production locations. Customer data submitted into the Instinct services is only permitted to exist in Instinct staging and production network, its most tightly controlled network. Administrative access to systems within the staging and production network is limited to those engineers with a specific business need.

4.3 Classifying data and inventory management

Instinct classifies data and content into different levels to better protect the data in our platform and specifies the labelling and handling requirements for each of those classes. Instinct's ISMS considers data classifications in its encryption standards, its access control and authorisation procedures, and incident response standards, among other security documents. Customer data is classified at the highest level.

Data classifications are maintained as part of the asset management process. Instinct's maintains an inventory of hardware, software and data assets at least annually to enforce correct data classification levels. Instinct restricts the flow of data to ensure that only appropriately classified systems may contain Customer data.

4.4 Authorising access

To minimise the risk of data exposure, Instinct adheres to the principle of least privilege—workers are only authorised to access data that they reasonably must handle and have access to fulfil their current job responsibilities. To ensure that the application of the principle of least privilege, Instinct employs the following measures:

  • All systems used at Instinct require workers to authenticate before providing access. Workers are granted unique identifiers for that purpose.
  • Each worker's access is reviewed at least quarterly to ensure the access granted is still appropriate for the user's current job responsibilities.

Workers may be granted access to a small number of internal systems by default upon hire. Requests for additional access follow a documented process and are approved by the responsible owner or manager.

4.5 Authentication

To further reduce the risk of unauthorised access to data, Instinct employs multi-factor authentication for administrative access to systems with more highly classified data. Where possible and appropriate, Instinct uses private keys for authentication. For example, at this time, administrative access to production servers requires operators to connect using both an SSH key and a one-time password associated with a device-specific token. Where passwords are used, multi-factor authentication is enabled for access to higher data classifications. The passwords themselves are required to be complex (auto generated to ensure uniqueness, longer than 12 characters, and not consisting of a single dictionary word, among other requirements).

Instinct requires personnel to use an approved password manager. Password managers generate, store and enter unique and complex passwords. The use of a password manager helps avoid password reuse, phishing, and other behaviours that can reduce security.

4.6 System monitoring, logging and alerting

Instinct monitors servers, workstations and mobile devices to retain and analyse a comprehensive view of the security state of its corporate and production infrastructure. Administrative access, use of privileged commands and system calls on all servers in Instinct's production network are logged.

Instinct's IT Operations and Security team collects and stores production logs for analysis. Logs are stored in a separate network. Access to this network is restricted to members of the IT Operations and Security Team. Logs are protected from modification and retained for at least two years. Analysis of logs is automated to the extent practical to detect potential issues and alert responsible personnel. Alerts are examined and resolved based on documented priorities.

4.7 Endpoint monitoring

Instinct's workstations run various monitoring tools that may detect suspicious code or unsafe configuration or user behaviour. Instinct's IT Operations and Security Team continually monitors workstation alerts and ensures significant issues are resolved in a timely fashion.

4.8 Mobile device management

Mobile devices that are used to transact company business are centrally managed and required to be enrolled in the appropriate mobile device management systems, to ensure they meet Instinct's security standards.

4.9 Responding to security incidents

Instinct has established policies and procedures for responding to potential security incidents. Instinct's Security Incident Response personnel manages all incidents. Instinct defines the types of events that must be managed via the incident response process. Incidents are classified by severity. Incident response procedures are tested and updated at least annually.

4.10 Data and media disposal

Instinct deletes information from current production systems at client's request. Backups are routinely destroyed within 15 days. Instinct follows industry standards and advanced techniques for data destruction. Instinct defines policies and standards requiring media be properly sanitised once it is no longer in use. Instinct's hosting provider is responsible for ensuring the removal of data from disks allocated to Instinct's use before they are repurposed.

4.11 Workstation security

All workstations issued to workers are configured by Instinct to comply with our standards for security. These standards require all workstations to be properly configured, kept updated, run monitoring software and be tracked by Instinct's IT Operations and Security Team. Instinct's default configuration sets up workstations to encrypt data, have strong passwords, and lock when idle.

Workstations run up-to-date monitoring software to report potential malware and unauthorised software and mobile storage devices.

4.12 Controlling system operations and continuous deployment

We take a variety of steps to combat the introduction of malicious or erroneous code into our operating environment and protect against unauthorised access.

Controlling change

To minimise the risk of data exposure, Instinct controls changes, especially changes to production systems, very carefully. Instinct applies change control requirements to systems that store data at higher levels of sensitivity. These requirements are designed to ensure that changes potentially impacting Customer Data are documented, tested, and approved before deployment.

Server hardening

New servers deployed to production are hardened in accordance with security best practice (CIS benchmark framework). All unneeded services are disabled, default passwords are removed, and Instinct's custom configuration settings are applied to each server before use.

File change management

Instinct maintains the configuration of its production servers by using a configuration management system (CMS) that frequently runs to check that only the authorised version of key files are deployed. This CMS will overwrite files found on servers that do not match the correct version stored in a change-controlled repository.

5. DISASTER RECOVERY AND BUSINESS CONTINUITY

Instinct utilises services provided by its hosting provider to distribute its production operation across three separate physical locations. These three locations are within one geographic region but protect Instinct's service from loss of connectivity, power, infrastructure, and other common location-specific failures. All client environments are replicated among these discrete operating environments to ensure the availability of Instinct's service in the event of a location-specific catastrophic event. Full backups are saved to remote locations continuously. Instinct tests backups at least quarterly to ensure they can be correctly restored.

6. THIRD-PARTY SUPPLIERS

To run its business efficiently, Instinct relies on sub-service organisations. Where those sub-service organisations may impact Instinct's production environment's security, Instinct takes appropriate steps to ensure its security posture is maintained. Instinct establishes agreements that require service organisations to adhere to confidentiality commitments Instinct has made to its clients. Instinct monitors the effective operation of the organisation's safeguards by conducting reviews of its service organisation controls before use and at least annually.

Start your investment journey with AMID.

Request demo

About

Admin and security

London office

  • UNITED KINGDOM
    46 New Broad Street
    London EC2M 1JH

engageus@instinctdigital.io

Copyright © 2022 Instinct Digital Limited. All rights reserved.

Privacy Policy, Cookies, Terms of Use.